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What is claimed is: 
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A method of enabling a proxy client in a secured 
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network to access a target service on behalf of a user, , 
comprismig the steps of: 

registering proxy authorization information regarding the 
user with trusted security server, the proxy authorization 
information Identifying the proxy client and an extent of 
proxy, authoriziation; ' " ' " " ' 

submittingX by the proxy client, a proxy request to the 
trusted security ^erver requesting access to the target 
service on behalf o^ the user; 

comparing, by the trusted security server, the proxy 
request with the proxyV authorization information of the user 
to determine whether toNgrant the proxy request; 

issuing, by the trusVed security server, a data structure 
containing authentication data recognizable by the target 
service for authenticating tVe proxy client for accessing the 
target service on behalf of the user. 

2. A method as in claim l,\wherein the data structure is 
a ticket containing a session keyXfor use in a session formed 
between the proxy client and the target service. 

3. A method as in claim 1, wherein the ticket is 
encrypted with a secret key shared by fthe target service and 
the trusted security server. \ 



\. A method as in claim 1, wherein the step of comparing 
determ^es whether a proxy duration specified by the proxy 
author iziation information has expired . 

5. A method as in claim 1, wherein the step of 
submitting that request includes transmitting a ticket for 
authenticating \he proxy client to the trusted security 
server. \ - . 

6. A computer-Veadable medium having computer-executable 
instructions for performing steps : 

storing proxy authorization information from a user for 
authorizing a proxy client to act as a proxy of the user; 

receiving a proxy request from the proxy. client to access 
a target service on behalf c^f. the user; 

determining, based on tire proxy authorization information 
of the user, whether to grant Vhe proxy request; 

constructing a data structure containing authentication 
data recognizable by the target ^rvice for authenticating the 
proxy client for accessing the target service on behalf of the 
user. \ 

7. A computer-readable medium as\ in claim 6, having 
further computer-executable instructions for performing the 
step of authenticating the user based on\a password of the 
user before storing the proxy authorization information. 



8\ A computer-readable medium as in claim 6, wherein the 
step of Veceiving the proxy request includes authenticating 
the proxyNclient based on a ticket issued to the proxy client 
for communicating with the trusted security server. 

9. A computer-readable medium as in claim 6, having 
further computer-executable instructions for performing the 
step"^ of sending theNdata structure to the proxy' client for 
presenting to. the target service for authentication of the 
proxy client.. \ 

10. A computer-readable medium as in claim 6, wherein 
the data structure is encrypted with a key shared by the 
target service and the trusteck security server. 

11. A computer-readable meoium , having computer- 
executable instructions for a client in a secured network 
system to perform the steps of : \ 

submitting a proxy request to a trusted security server, 
the proxy request identifying a user and a: target service that 
the client intends to access on behalf ot the user; 

receiving from the trusted security Sserver a session key 
encrypted with a shared secret key shared hv the client and 
the trusted security server and a ticket foA accessing the 
target service; \ 

decrypting the session key with the shareu secret key; 



constructing an authenticator. encrypted with the session 
key; \ 

presenting the authenticator and the ticket to the target 
service f orXauthentication of the client for access of the 
target serviae on behalf of the user, 

12. A compirter-readable medium as in claim 11, wherein 
the step of submitoing the proxy request includes sending a 
ticket issued to the\client for authenticating the client to 
the trusted security sWver. 

rS . A computer-readable medium having stored thereon a 
data str\cture containing information for proxy authorization, 
comprisingV 

a first (iata field containing an identification of a user 
of a secured nerswork; 

a second datav field containing an identification of a 
security principal osf the secured network authorized to act as 
proxy of user; \ 

a third data field VczJhtaining data identifying a duration 
of proxy authorization; /3f 

a fourth data field containing data specifying a 
restriction on the proxy authorization. 

14. A computer-readable meoAum as in claim 13, wherein 
the data in the third data, field sVecify an expiration date" of 
the proxy authorization. \ 



15\ A computer- readable medium as in claim 13, wherein 
the data \n the fourth data field identify a service of the 
secured net\prk that the security principal is permitted to 
access . \ 

16. A compuOebA- readable medi\im as in claim 13, wherein 
the security principal i's a client on the secured network. 

17. A computer-reaidable medium as in claim 13, wherein 
the security principal i^a group on the secured network. 



